root nameserver hardware requirements

Jim Reid jim at rfc1035.com
Wed Sep 20 10:17:23 UTC 2000 

>>>>> "jacob" == jacob  <jacob at freecommunity.com> writes:

    jacob> the implementation they finalized on was two cobalt's
    jacob> running linux as "the primary" with a hardware frontend
    jacob> load balancer and a netapp (shared with other applications)
    jacob> for common access to the zone files.

    jacob> i claim that is far more hardware than necessary and
    jacob> needlessly complex.

Indeed. The NetApp is not necessary, but since it's already there and
provides stable file storage, why not use it? Two cobalts (whatever
they are - PCs I presume) for name service will be fine. But they
should not be in one location on the same net. BTW load balancing and
"failover" is intrinstic to the DNS protocol. Fancy solutions to this
are usually a waste of money and add complexity without really making
a significant difference. Having two "primary"? servers sharing the
same file store could be an organisational problem, but if it works
for you, go ahead.

    jacob> i am wondering if anyone knows what an average hardware
    jacob> configuration is for a root nameserver.  this would be a
    jacob> nice point of reference.

www.isc.org has some details of f.root-servers.net. However a root
server is not a "nice point of reference". These servers operate under
extreme loads that are unrepresentative of the general traffic/load
for a typical name server. They also don't consult other servers to
resolve queries. Root servers get a few thousand queries per second
and tend to max out on CPU from the overhead of getting packets up and
down their TCP stack. Any other name servers that get remotely close
to this level of traffic live at places like aol.com where the staff
know how to provision for very heavy levels of DNS traffic.

    jacob> also, if performance is an issue,
    jacob> would it be wise to keep the recursive/caching and
    jacob> nonrecursive functions on seperate machines?

It's wise to do this irrespective of performance. Not that performance
really matters for DNS on today's hardware unless DNSSEC is involved
and there's cryptographic verification of DNS packets. Use one set of
name servers for handling queries from other name servers and another
set for dealing with queries from desktops and end users. Both sets of
servers should be authoritative for your zones. The first set are the
ones advertised in your zone's NS records. The others should be
configured as "stealth" servers: they slave the zone, but are not
listed in the zone's NS records.

More information about the bind-users mailing list